Virtual CISO

Senior security leadership without the full-time hire.

A Chief Information Security Officer costs $180,000+ per year in NZ — and that's before you can find one (Source: SEEK NZ salary data — seek.co.nz). A KIS virtual CISO gives you experienced, strategic security leadership on a flexible basis. They'll own your security programme structured around NIST CSF 2.0's Govern function, advise your board, and guide your path toward ISO 27001 if that's your goal.

What's included

Dedicated vCISO assigned to your account
Security strategy and annual roadmap (NIST CSF 2.0 Govern framework)
Board and executive-level reporting and briefings
Vendor and supplier security evaluation
Policy development and governance oversight
Regulatory and compliance guidance — NZ Privacy Act 2020, NZISM, NIST CSF 2.0, ISO 27001
Escalation point during incidents

Talk to us about vCISO →

Who the vCISO is right for

Growing SMBs

Scaling fast and security needs to keep pace — but a full-time CISO isn't in the budget yet.

Mid-market businesses

An IT team but no dedicated security leadership. The vCISO bridges that gap strategically.

Boards & leadership teams

Need someone to translate cyber risk into business language — and be accountable for it.

The vCISO uses NIST CSF 2.0 as the primary strategic framework and guides your path to ISO 27001 certification. Typically 1–3 days per month of dedicated time, depending on your needs.

What your vCISO does

Strategic ownership of your security programme.

A consultant tells you what to do. A vCISO helps you do it — and is still there six months later to make sure it worked.

Security strategy & roadmap

An annual security plan aligned to your business goals, built on NIST CSF 2.0's Govern and Identify functions.

Board-level reporting

Regular briefings that translate cyber risk into business language — risks, spend, and outcomes your board can act on.

Compliance programme leadership

Owns your path to ISO 27001, NZISM, and NZ Privacy Act compliance — from gap analysis through to certification.

Vendor security oversight

Reviews security questionnaires from clients and assesses your suppliers' security posture before you onboard them.

Policy & governance

Develops and maintains your security policies, procedures, and governance documentation — keeping them current and usable.

Incident escalation

Your first call when something goes wrong. Coordinates response, communicates with leadership, and manages the process.

Related services

Compliance

Your vCISO leads the compliance programme — from NIST CSF 2.0 alignment to ISO 27001 certification.

View service →

Risk assessment

The vCISO starts with a full NIST CSF 2.0 assessment to understand where you stand today.

View service →

Incident response

Your vCISO is the strategic escalation point when an incident occurs.

View service →

Our Workflow…

Free conversation
We talk about your business, your concerns, and your goals. No sales pitch.
We scope and quote
A clear proposal arrives within two business days. Exact scope, fixed price — no surprises.
We get to work
We handle the heavy lifting. We’ll only contact you when we need something or have something to show you.
We debrief clearly
Every engagement ends with a plain-English walkthrough of findings, recommendations, and next steps.

What you need to provide…

About an hour of your time
For the initial conversation and the final debrief. We do the rest.
Access to the right people
Usually your IT contact (or you, if that’s the same person) and whoever owns the systems in scope.
Read-only access where needed
For most assessments, we only ever need read access — never admin credentials or the ability to make changes.
An honest picture of where you are
The more candid you are about your current setup, the more useful our findings will be. There’s no judgement here.

That’s genuinely it. You don’t need a dedicated IT team, a security background, or any preparation beyond booking the first call.

Not sure which service you need?

Start here.

A free 30-minute conversation. We’ll tell you honestly what your business needs — and what it doesn’t.

Book a free conversation

What others say about us…

We’d always had a family member looking after our IT, and while we trusted them completely, we hadn’t realised how much risk we were quietly carrying. KIS came in and overhauled our entire security setup, got us properly configured with multi-factor authentication, and went through our Microsoft 365 environment to make sure the right people had the right access and licensing. It wasn’t just a technical fix, it was genuine peace of mind. We now know our systems are actually secure, not just looked after by someone who means well.

Jeremy T.Owner, Auto Services

As a financial services firm, protecting client data isn’t optional. We had no formal security management framework in place and knew we needed to get serious. KIS assessed where we stood and mapped out a practical path toward NIST and ISO 27001 compliance, grounded in what was realistic for our size and structure. Their advice was prioritised and clear, and we came away with a credible roadmap and the confidence that we’re taking the right steps in the right order.

Pam K.CIO, Financial Services Firm

We were rolling out AI across the organisation and our internal IT team is great, but this was new territory. We needed someone to close the gaps fast and set us up to manage things ourselves going forward. KIS delivered on all of it. They implemented data loss prevention, a document classification scheme, and Microsoft Purview, and the uplift in our security and compliance posture has been significant. The best part? They didn’t just fix things and leave. We came out of it actually understanding the system and capable of running it ourselves.

Abby S.Compliance Officer, Telecommunications Company

We’re a small non-profit focused on young people, and like many organisations like ours, we were running largely on goodwill and volunteers. We had a website collecting significant personal information and, honestly, we hadn’t fully grasped the risk we were sitting on. KIS conducted a penetration test, walked us through every finding, and worked through remediation of all critical vulnerabilities with our budget in mind the whole time. They treated our mission as if it mattered to them too, and that made all the difference.

Elizabeth C.Senior Leader, Youth Organisation

Senior security leadership without the full-time hire.

Strategic ownership of your security programme.

Security strategy & roadmap

Board-level reporting

Compliance programme leadership

Vendor security oversight

Policy & governance

Incident escalation

Compliance

Risk assessment

Incident response

Our Workflow…

What you need to provide…

Not sure which service you need?

What others say about us…

KIS

Services

Company

Useful links